CVE-2026-35665
MEDIUMOpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing
Title source: cnaDescription
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint, blocking legitimate webhook deliveries.
References (2)
Core 2
Core References
Third Party Advisory third-party-advisory
GitHub Security Advisory (GHSA-w6m8-cqvj-pg5v)
https://github.com/openclaw/openclaw/security/advisories/GHSA-w6m8-cqvj-pg5v
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing
https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-feishu-webhook-pre-auth-body-parsing
Scores
CVSS v3
5.3
EPSS
0.0033
EPSS Percentile
24.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-405
Status
published
Products (4)
npm/openclaw
0 - 2026.3.24npm
OpenClaw/OpenClaw
< 2026.3.24
openclaw/openclaw
< 2026.3.24
OpenClaw/OpenClaw
2026.3.24
Published
Apr 10, 2026
Tracked Since
Apr 10, 2026